b'                                        SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:      May 16, 2008                                                     Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Performance Indicator Audit: Postentitlement Actions (A-15-07-17130)\n\n\n           We contracted with PricewaterhouseCoopers, LLP (PwC) to evaluate 13 of the Social\n           Security Administration\xe2\x80\x99s (SSA) performance indicators established to comply with the\n           Government Performance and Results Act. Attached is the final report presenting the\n           results of three of the performance indicators PwC reviewed. For the performance\n           indicators included in this audit, PwC\xe2\x80\x99s objectives were to:\n           \xe2\x80\xa2   Assess the effectiveness of internal controls and test critical controls over data\n               generation, calculation, and reporting processes for the specific performance\n               indicator.\n           \xe2\x80\xa2   Assess the overall reliability of the performance indicator\xe2\x80\x99s computer processed\n               data. Data are reliable when they are complete, accurate, consistent and not\n               subject to inappropriate alteration.\n           \xe2\x80\xa2   Test the accuracy of results presented and disclosed in SSA\xe2\x80\x99s Fiscal Year 2006 and\n               2007 Performance and Accountability Reports.\n           \xe2\x80\xa2   Assess if the performance indicator provides a meaningful measurement of the\n               program it measures and the achievement of its stated objective.\n\n           This report contains the results of the audit for the following indicators:\n\n           \xe2\x80\xa2   Number of SSI [Supplemental Security Income] disabled beneficiaries earning at\n               least $100 per month.\n           \xe2\x80\xa2   Number of Supplemental Security Income (SSI) non-disability redeterminations\n               processed.\n           \xe2\x80\xa2   Number of periodic CDRs [Continuing Disability Reviews] processed to determine\n               continuing entitlement based on disability.\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\n\nPlease provide within 60 days a corrective action plan that addresses each\nrecommendation. If you wish to discuss the final report, please call me or have your\nstaff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at\n(410) 965-9700.\n\n\n\n\n                                                  Patrick P. O\xe2\x80\x99Carroll, Jr.\n\nAttachment\n\x0c           OFFICE OF\n    THE INSPECTOR GENERAL\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n  PERFORMANCE INDICATOR AUDIT:\n    POSTENTITLEMENT ACTIONS\n\n\n     May 2008    A-15-07-17130\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0cMEMORANDUM\n\nDate:      May 1, 2008\n\nTo:        Inspector General\n\nFrom:      PricewaterhouseCoopers, LLP\n\nSubject:   Performance Indicator Audit: Postentitlement Actions (A-15-07-17130)\n\nOBJECTIVE\nThe Government Performance and Results Act (GPRA) 1 of 1993 requires that the\nSocial Security Administration (SSA) develop performance indicators that assess the\nrelevant service levels and outcomes of each program activity. 2 GPRA also calls for a\ndescription of the means employed to verify and validate the measured values used to\nreport on program performance. 3\n\nOur audit was conducted in accordance with generally accepted government auditing\nstandards for performance audits. For the performance indicators included in this audit,\nour objectives were to:\n\n           1. Assess the effectiveness of internal controls and test critical controls over the\n              data generation, calculation, and reporting processes for the specific\n              performance indicator.\n\n           2. Assess the overall reliability of the performance indicator\xe2\x80\x99s computer\n              processed data. Data are reliable when they are complete, accurate,\n              consistent and not subject to inappropriate alteration. 4\n\n           3. Test the accuracy of results presented and disclosed in SSA\xe2\x80\x99s Fiscal Year\n              (FY) 2006 and 2007 Performance and Accountability Reports (PAR).\n\n           4. Assess if the performance indicator provides a meaningful measurement of\n              the program it measures and the achievement of its stated objective.\n\n\n\n\n1\n Public Law Number 103-62, 107 Stat. 285 (codified as amended in scattered sections of 5 United States\nCode (U.S.C.), 31 U.S.C. and 39 U.S.C.).\n2\n    31 U.S.C. \xc2\xa7 1115(a)(4).\n3\n    31 U.S.C. \xc2\xa7 1115(a)(6).\n4\n Government Accountability Office (GAO), GAO-03-273G, Assessing Reliability of Computer Processed\nData, October 2002, p. 3.\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                                 1\n\x0cBACKGROUND\nWe audited the following performance indicators, as stated in the SSA FY 2006 or FY\n2007 PAR. 5\n\n    Performance Indicator                               Goal                   Reported Results\n\n    Number of SSI [Supplemental Security                FY 2006                FY 2006 Actual\n    Income] disabled beneficiaries 6 earning at         268,419                247,143\n    least $100 per month 7\n    Number of Supplemental Security Income              FY 2007                FY 2007 Actual\n    (SSI) non-disability redeterminations               1,026,000              1,038,948\n    [(RZ)] processed 8\n    Number of periodic CDRs [Continuing                 FY 2007                FY 2007 Actual\n    Disability Reviews] processed to                    729,000                764,852\n    determine continuing entitlement based\n    on disability 9\n\nSSA administers the Old-Age and Survivors Insurance (OASI), Disability Insurance (DI),\nand SSI programs. The OASI program, authorized by Title II of the Social Security Act\n(Act), provides income for eligible workers and for eligible members of their families and\nsurvivors. 10 The DI program, also authorized by Title II of the Act, provides income for\neligible workers with qualifying disabilities and for eligible members of their families,\nbefore those workers reach retirement age. 11 The SSI Program, authorized by Title XVI\nof the Act, was designed as a needs-based program to provide or supplement the\nincome of aged, blind, and/or disabled individuals with limited income and resources. 12\n\n\n\n\n5\n The period of review for indicator, "Number of SSI disabled beneficiaries earning at least $100 per\nmonth," was FY 2006. The period of review for indicators, "Number of Supplemental Security Income\n(SSI) non-disability redeterminations processed" and "Number of periodic CDRs processed to determine\ncontinuing entitlement based on disability," was FY 2007.\n6\n  Although SSA uses the term \xe2\x80\x9cbeneficiaries\xe2\x80\x9d in the title of this performance indicator, the term \xe2\x80\x9crecipients\xe2\x80\x9d\nis typically used when describing individuals who receive SSI.\n7\n    SSA FY 2006 PAR, p. 83.\n8\n    SSA FY 2007 PAR, p. 70.\n9\n    Id. p. 71.\n10\n     The Act \xc2\xa7\xc2\xa7 201-234, 42 U.S.C. \xc2\xa7\xc2\xa7 401-434.\n11\n     Id.\n12\n     The Act \xc2\xa7\xc2\xa7 1601-1637, 42 U.S.C. \xc2\xa7\xc2\xa7 1381-1383f.\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                                         2\n\x0cTo ensure continuous and correct payment of claims, SSA periodically performs\nreassessments of SSI recipients\xe2\x80\x99 non-medical factors (SSI Non-Disability RZs) as well\nas reassessments of DI and SSI beneficiaries\xe2\x80\x99 disability factors (periodic CDRs) to\ndetermine ongoing benefit eligibility.\n\nSSI RZs are post-eligibility reviews of SSI non-medical factors, such as income,\nresources, and living arrangements. This information is used to determine recipients\xe2\x80\x99\nfinancial eligibility for continued payment. RZs are scheduled based on the likelihood of\nchanges in circumstances that may affect the payment amount. Unscheduled RZs are\ncompleted on an \xe2\x80\x9cas needed\xe2\x80\x9d basis and are triggered when SSA learns of certain\nchanges in circumstances that could affect the continuing SSI payment amount.\n\nSSA completes periodic DI and SSI CDRs to determine whether a disabled individual\ncontinues to be medically eligible to receive benefits. Periodic CDRs are required at a\nminimum of every 3 years 13 unless SSA has determined the disability was classified as\npermanent, or the beneficiary has enrolled in the Ticket to Work program. 14 Periodic\nCDRs are conducted by questionnaire (mailer) or by a medical reexamination of the\nbeneficiaries\xe2\x80\x99 disability.\n\nRESULTS OF REVIEW\nOverall, we found the three indicators to be meaningful. However, our assessment\nidentified issues with internal controls and data reliability for the three indicators in this\nreview. Specifically, we noted weaknesses in the operating effectiveness of access\ncontrols related to application transactions. Specific to the indicators, "Number of\nSupplemental Security Income (SSI) non-disability redeterminations processed" and\n"Number of periodic CDRs processed to determine continuing entitlement based on\ndisability," we noted programmers had update access to production datasets. It should\nbe noted that during the audit, SSA management took corrective action to address\nthese issues. However, as a result of the internal control weaknesses that existed\nduring the period of review, we did not find the performance indicators data to be\nreliable.\n\nWe did not identify any significant exceptions related to the accuracy of presentation or\ndisclosure of the information related to these indicators contained in the PAR or to the\nmeaningfulness of these indicators.\n\n\n\n\n13\n     The Act, \xc2\xa7 221(i), 42 U.S.C. \xc2\xa7 421(i).\n14\n     Ticket to Work and Work Incentives Improvement Act of 1999, Pub. L. No. 106-170.\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                             3\n\x0cNumber of SSI disabled beneficiaries earning at least $100 per month\n\nIndicator Background\n\nSSA provides work incentive programs to SSI disabled recipients with jobs. These work\nincentives include the following.\n\n    \xe2\x80\xa2     Ticket To Work - This program is designed to assist disabled beneficiaries to obtain\n          employment. Enrollees may use the ticket to obtain the vocational rehabilitation\n          services, employment services, and other support services needed to return to\n          work or go to work for the first time. As long as a beneficiary is using a ticket (as\n          determined under SSA criteria), SSA will not initiate a CDR.\n    \xe2\x80\xa2     Plan to Achieving Self-Support - This program allows SSI recipients to set\n          employment goals and set aside money for these goals. The wages earned under\n          this program will not affect their SSI eligibility or payment amount.\n    \xe2\x80\xa2     Special Benefits under sections 1619(a) and (b) of the Act 15 - These programs\n          allow SSI recipients to work without losing SSI and Medicaid eligibility.\n    \xe2\x80\xa2     Impairment-Related Work Expenses - This program allows SSI recipients to use\n          income to obtain items, such as a cane or wheelchair, without the income used to\n          obtain such items affecting their SSI eligibility or payment amount.\n    \xe2\x80\xa2     Blind Work Expenses - This program does not count any earned income that an\n          SSI recipient uses to meet expenses that are required for the beneficiary to work.\n          Candidates must be receiving SSI payments due to blindness. Blind work expense\n          items do not have to be related to their blindness. 16\n\nWhile participating in the work incentive programs, SSI recipients are required to report\ntheir earnings to SSA. The main methods SSA uses to obtain SSI recipients\' earnings\ninclude the following.\n\n\xe2\x80\xa2        SSI recipients report their earnings to SSA field offices (FO), SSA\xe2\x80\x99s 1-800 number,\n         or by sending a letter to SSA. After receipt of the recipients\xe2\x80\x99 earnings evidence\n         (such as pay stubs for wages or a tax return for self-employment), FO staff inputs\n         earnings information into the Supplemental Security Record (SSR) via the\n         Modernized Supplemental Security Income Claims System (MSSICS).\n\xe2\x80\xa2        SSA uses information contained in the Master Earnings File (MEF) to determine\n         whether there were any unreported earnings or earning discrepancies. The MEF is\n         a data repository for the Earnings Record Maintenance System (ERMS), containing\n         earnings data from employers and the Internal Revenue Service (IRS). The MEF then\n         interfaces with the SSR to provide SSI recipients earnings information in the form of MEF\n         alerts/diaries. This interface occurs in October, February and June. SSA also\n         receives quarterly State wage data from the Office of Child Support Enforcement.\n\n\n15\n     The Act \xc2\xa7\xc2\xa7 1619(a) and (b), 42 U.S.C. \xc2\xa7\xc2\xa7 1382h(a) and (b).\n16\n        http://www.socialsecurity.gov/disabilityresearch/wi/generalinfo.htm#work.\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                            4\n\x0c     As a result, alerts are generated when earned income data on the SSR do not match\n     within predefined tolerance levels with the MEF.\n\nSSA uses the information from the MEF and the Office of Child Support Enforcement to\ncheck for any discrepancies. After investigating and reconciling earnings discrepancies,\nSSA FO staff corrects or posts verified earnings information into MSSICS, if necessary.\nThe Supplemental Security Income Records Maintenance System (SSIRMS) processes\nthe earnings information posted by FO staff to the recipients\' SSRs.\n\nEach quarter, the Office of Research, Evaluation, and Statistics receives the Work\nIncentive File from the Office of Applications and Supplemental Security Income\nSystems. This file contains terminated and active data records that include\nbeneficiaries\xe2\x80\x99 Social Security numbers and earnings information. The type of\nearnings for each beneficiary is recorded as one of the following categories:\nS (self-employment), W (wages), C (blind work expense), D (income excluded under\napproved plan), T (impairment related work expenses), N (net loss), and B (student\nearned income exclusion). These data elements are extracted and formatted into an\nExcel file using Statistical Analysis Software. Each quarter, this Excel file is sent to the\nperformance indicator owner in the Office of Retirement and Disability Policy, Office of\nEmployment Support Programs. 17 The performance indicator owner manually\ncalculates the results of the SSI recipients earning at least $100 per month from the\nExcel spreadsheet. Each quarter, the performance indicator is sent to the Office of\nStrategic Management (OSM) to be incorporated as part of the centralized performance\nindicator tracking report.\n\nPerformance Indicator Calculation\n                                                       Average of the SSI disabled\n Number of SSI disabled beneficiaries            =     beneficiaries earning at least $100 for\n earning at least $100 per month                       the last month of each quarter during the\n                                                       fiscal year\n\nThe average number of SSI disabled recipients earning at least $100 per month for the\nlast month of each quarter during the FY is reported in the PAR.\n\nFindings\n\nInternal Controls and Data Reliability\n\nOur review of access controls noted that information technology personnel had\nexcessive and/or unmonitored access to the Customer Information Control System\n(CICS) screens that allowed updates to SSA data via the programmatic mainframe\napplications, including MSSICS and ERMS. CICS is a transaction processing system\ndesigned for both on-line and batch activity. SSA management did not appropriately\n\n17\n  This function was previously performed by the Office of Disability and Income Security Programs, which\nwas part of a reorganization effective February 2008.\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                                  5\n\x0cmonitor access to these transactions. The SSA Information System Security Handbook\n(ISSH) states, "Access to all SSA functions associated with software or enterprise\nsystems must be managed based on need-to-know and least privilege. This specifically\nincludes changes/updates to software, production jobs, and supporting hardware\ndeployments. This access control maintenance policy must be applied across the SSA\nenterprise." 18 In addition, Office of Management and Budget (OMB) Circular A-130\nrequires that agencies implement the practice of least privilege, whereby user access is\nrestricted to the minimum necessary to perform his or her job; and enforce a separation\nof duties so steps in a critical function are divided among different individuals. It also\nemphasizes the importance of management controls \xe2\x80\x93 such as individual accountability\nrequirements, separation of duties enforced by access controls, and limitations on the\nprocessing privileges of individuals \xe2\x80\x93 to prevent and detect inappropriate or\nunauthorized activities. 19\n\nThis issue was noted during the FY 2006 financial statement audit. Also, during the\naudit timeframe, SSA management began monitoring the IT personnel usage of these\ntransactions. However, because this internal control weakness existed during the\nperiod of review, we did not find the performance indicator data to be reliable.\n\nNumber of Supplemental Security Income (SSI) non-disability\nredeterminations processed\n\nIndicator Background\n\nSSI non-disability cases are selected for redeterminations based on the date of the\nrecipients\xe2\x80\x99 last RZ and characteristics that distinguish low-error, middle-error, and high-\nerror cases. The selected recipients are tracked in the Post-Entitlement Operational\nData Store (PEODS). The RZ data are updated in the SSR, which is the master record\nfor SSI recipients.\n\nBased on error profiles, the cases are assigned either to the Wilkes-Barre Data\nOperations Center (WBDOC) or an FO. Claims representatives at the FO typically\nperform high-error profile RZs; however, beginning in October 2006, high-error cases\nhave been released to the WBDOC for processing. These cases are processed in the\nsame manner as the low- and middle-error cases, but using different forms, as\ndiscussed below.\n\nClaims representatives (CR) at FOs will handle high-error profile RZs or WBDOC\nexclusion cases through face-to-face or telephone interviews. SSA requests that the\nSSI recipients bring financial documentation, such as rent receipts or bank records, to\nthe interviews. During the interview, the CR inputs any changes to the recipients\xe2\x80\x99 non-\n\n\n\n18\n     SSA ISSH, Section 16.3, p. 49\n19\n     OMB Circular No. A-130, Appendix III - Security of Federal Automated Information Resources, p. 5.\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                                     6\n\x0cmedical factors via MSSICS, which updates the SSR with changes to the recipients\xe2\x80\x99\nnon-medical factors. The SSR provides data to PEODS to update the status of the RZ\nonce it is completed.\n\nLow- and middle-error profile RZs are reviewed by records processing clerks at the\nWBDOC. SSI recipients are mailed forms to complete and return to the WBDOC.\nSecond requests are mailed out if recipients do not respond to the first mailing within\n90 days. If WBDOC does not receive the form within 180 days of the first mailing\n(90 days from the second mailing) and no disposition data have been posted, the SSI\nand PEODS systems will automatically transfer control of the RZ to the servicing office.\nAll returned forms are manually reviewed for completeness at the WBDOC. During the\nmailer reviews, the records processing clerk inputs changes into MSSICS. If \xe2\x80\x9cno\nchange\xe2\x80\x9d is indicated on the form, a completion indicator is posted to the SSR. The SSR\nprovides data to PEODS to update the status of the RZ once it is completed.\n\nEach week, PEODS transfers the composite high, middle, and low RZ data to the Title\nXVI Datawarehouse. Once a month, the Division of Cost Analysis reviews the RZ data\nmaintained in the Title XVI Datawarehouse and provides the RZ information to OSM.\nThe year-to-date total of the completed RZs is recorded in the PAR.\n\nPerformance Indicator Calculation\n\n\nTotal SSI Non-Disability RZs                         Total Completed RZs for the period of\n                                               =\nProcessed for FY 2007                                October 1, 2006 to September 28, 2007\n\n\nFindings\n\nInternal Controls and Data Reliability\n\nOur review of access controls revealed the following issues.\n\xe2\x80\xa2 One programmer had unmonitored access to the MSSICS CICS transactions, and\n  this access was not reviewed by SSA management.\n\xe2\x80\xa2 One programmer had update access to SSIRMS datasets, and this access was not\n  restricted or reviewed by SSA management. 20\n\nThe SSA ISSH states, "Access to all SSA functions associated with software or\nenterprise systems must be managed based on need-to-know and least privilege. This\nspecifically includes changes/updates to software, production jobs, and supporting\nhardware deployments. This access control maintenance policy must be applied across\nthe SSA enterprise." 21 In addition, OMB Circular A-130 requires that agencies\n\n20\n  SSA management assigned the profile to the individual\xe2\x80\x99s secondary $id; therefore, this finding was\nremediated. A $id is the authentication method to access SSA\'s systems.\n21\n     SSA ISSH, Section 16.3, p. 49.\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                                   7\n\x0cimplement the practice of least privilege, whereby user access is restricted to the\nminimum necessary to perform his or her job, and enforce a separation of duties so\nsteps in a critical function are divided among different individuals. It also emphasizes\nthe importance of management controls \xe2\x80\x93 such as individual accountability\nrequirements, separation of duties enforced by access controls, and limitations on the\nprocessing privileges of individuals \xe2\x80\x93 to prevent and detect inappropriate or\nunauthorized activities.\n\nThese issues, which were noted during the FY 2007 financial statement audit, could\nresult in the accidental or inappropriate alteration of the data used to support the\nperformance indicator. It should be noted, that during the audit, SSA management\nbegan monitoring the programmers\' access to the SSIRMS datasets. However,\nbecause these internal control weaknesses existed during the period of review, we did\nnot find the performance indicator data to be reliable.\n\nNumber of periodic CDRs processed to determine continuing entitlement\nbased on disability\n\nIndicator Background\n\nPeriodic CDRs are conducted through full medical reviews or beneficiary-completed\nquestionnaires (mailers). The type of CDR to be completed is determined by the\nbeneficiaries\xe2\x80\x99 probability of medical improvement. Beneficiaries with a high probability\nof medical improvement receive a full medical CDR.\n\nA CDR begins when an FO receives an alert to review a beneficiary\xe2\x80\x99s case folder,\ncontaining background and medical information on the beneficiary, to determine\nwhether a full medical CDR should be performed. The FO is able to determine the need\nfor a full medical CDR, based on SSA policy. If unable to readily make that decision, it\nis transferred to the State disability determination services (DDS). The folders identified\nfor full medical CDRs are also transferred to DDS for medical adjudication. The DDS\ndisability adjudicator reviews the folder to determine whether a full medical CDR should\nbe performed. If a full medical CDR is not performed, the beneficiary\xe2\x80\x99s record is\nupdated in the Disability Control File and the case is not included in the performance\nindicator count.\n\nWhen a full medical CDR is completed by the DDS, the determination of \xe2\x80\x9ccontinuance,\xe2\x80\x9d\n\xe2\x80\x9ccessation,\xe2\x80\x9d or \xe2\x80\x9cno decision\xe2\x80\x9d is input into the National Disability Determination Services\nSystem (NDDSS). NDDSS transfers these data to the Disability Operational Data Store\n(DIODS). DIODS produces the State Agency Operations Report on a monthly basis.\nRefer to the following formula.\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                       8\n\x0c                                                      Total recorded medical CDRs less work-\n Total full medical CDRs processed              =\n                                                      issue CDRs 22\n\n\nCDR mailers are performed for beneficiaries who have a low probability of medical\nimprovement. These beneficiaries are identified through profiling, which is the process\nin which the Office of Disability Determinations ranks all Title II and XVI recipients based\non the probability of cessation. The mailer forms request information about the\nbeneficiaries\xe2\x80\x99 medical improvement, recent education or training, and recent attempts to\nwork or return to work. CDR mailers are tracked in the Office of Retirement and\nDisability Policy. 23\n\nBeneficiaries return completed CDR mailers to the WBDOC. The WBDOC reviews the\nmailers for completeness and creates a data file to capture relevant information. The\ndata file is sent to the Office of Continuing Disability Reviews Support to process using\nthe beneficiary\xe2\x80\x99s mailer responses. The possible outcomes for the mailer CDRs are\n\n     \xe2\x80\xa2   deferred for a full medical review;\n     \xe2\x80\xa2   full medical review;\n     \xe2\x80\xa2   administrative closure; or\n     \xe2\x80\xa2   Processing Center review.\n\nThe Office of Disability Determinations updates the Disability Control File to reflect the\nresults of the Office of Continuing Disability Reviews Support processing and\ncompletion of the CDR mailers. Only completed CDR mailers that have been deferred\nfor a full medical review are included in the performance measure count. Refer to the\nfollowing formula.\n\n\nTotal completed CDR mailer                            Total completed CDR mailers that have\ndeferrals                                       =     been deferred for full medical review\n\n\nThe CDR Mailer Deferrals report produces the total deferred CDR mailers completed on\na monthly basis. The year-to-date total of the completed full medical CDRs on the\nreport is combined with the year-to-date total of the deferred CDR mailers and is\nrecorded in the PAR.\n\n\n\n22\n  A work-issue CDR is an unscheduled full medical review that is performed to evaluate the beneficiary\xe2\x80\x99s\nmedical eligibility as a result of earnings being posted to the MEF against a beneficiary\xe2\x80\x99s record. Since\nthese are not periodic CDRs, they are not included in the count.\n23\n  This function was previously performed by the Office of Disability and Income Security Programs, which\nwas part of a reorganization effective February 2008.\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                                    9\n\x0cPerformance Indicator Calculations\n\n\n                                                         Total full medical CDRs processed\nTotal fiscal year-to-date CDRs                           for the period October 1, 2006 to\n                                                   =\nprocessed                                                September 28, 2007 plus the total\n                                                         completed CDR mailer deferrals for the\n                                                         period October 1, 2006 to September 30,\n                                                         2007 24\n\n\nFindings\n\nInternal Controls and Data Reliability\n\nOur review of access controls revealed the following issues.\n\xe2\x80\xa2 One programmer had unmonitored access to the MSSICS CICS transactions, and\n  this access was not reviewed by SSA management.\n\xe2\x80\xa2 One programmer had update access to SSIRMS datasets, and this access was not\n  restricted or reviewed by SSA management. 25\n\xe2\x80\xa2 Two users had excessive access to the NDDSS CICS transactions, and did not\n  require this access to perform their job responsibilities. 26\n\xe2\x80\xa2 Programmers had update access to NDDSS production datasets, and did not\n  require this access to perform their job responsibilities. 27\n\nThe SSA ISSH states, "Access to all SSA functions associated with software or\nenterprise systems must be managed based on need-to-know and least privilege. This\nspecifically includes changes/updates to software, production jobs, and supporting\nhardware deployments. This access control maintenance policy must be applied across\nthe SSA enterprise." 28 In addition, OMB Circular A-130 requires that agencies\nimplement the practice of least privilege whereby user access is restricted to the\nminimum necessary to perform his or her job; and enforce a separation of duties so that\nsteps in a critical function are divided among different individuals. It also emphasizes\nthe importance of management controls \xe2\x80\x93 such as individual accountability\n\n\n24\n     The last processing day for CDR full medical data is the last Friday of FY 2007.\n25\n  SSA management assigned the profile to the individual\xe2\x80\x99s secondary $id; therefore this finding was\nremediated. A $id is the authentication method to access SSA\'s systems.\n26\n   SSA management appropriately updated all user access based on job responsibilities; therefore, this\nfinding was remediated.\n27\n   SSA management appropriately updated all user access based on job responsibilities; therefore, this\nfinding was remediated.\n28\n     SSA ISSH, Section 16.3, p. 49.\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                                     10\n\x0crequirements, separation of duties enforced by access controls, and limitations on the\nprocessing privileges of individuals \xe2\x80\x93 to prevent and detect inappropriate or\nunauthorized activities.\n\nThese issues, which were noted during the FY 2007 financial statement audit, could\nresult in the accidental or inappropriate alteration of the data used to support the\nperformance indicator. It should be noted that during the audit, SSA management\nbegan monitoring the programmers\' access to the SSIRMS datasets and removed the\nexcessive application business user and programmer access to the NDDSS application.\nHowever, because these internal control weaknesses existed during the period of\nreview, we did not find the performance indicator data to be reliable.\n\nRECOMMENDATION\nWe recommend SSA:\n\n    1. Consistently restrict access to CICS screens and datasets for ERMS, MSSICS,\n       SSIRMS, and NDDSS based on the concept of least privilege access.\n\nAGENCY COMMENTS\nThe Agency agreed with our recommendation. The Agency\xe2\x80\x99s comments are included in\nAppendix D.\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                     11\n\x0c                                            Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Process Flowcharts\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)\n\x0c                                                                       Appendix A\nAcronyms\nAct                    Social Security Act\nCDR                    Continuing Disability Review\nCICS                   Customer Information Control System\nDDS                    Disability Determination Services\nDI                     Disability Insurance\nDIODS                  Disability Operational Data Store\nERMS                   Earnings Record Maintenance System\nFO                     Field Office\nFY                     Fiscal Year\nGAO                    Government Accountability Office\nGPRA                   Government Performance and Results Act\nIRS                    Internal Revenue Service\nISSH                   SSA Information System Security Handbook\nMBR                    Master Beneficiary Record\nMEF                    Master Earnings File\nMSSICS                 Modernized Supplemental Security Income Claims System\nNDDSS                  National Disability Determination Services System\nOMB                    Office of Management and Budget\nORES                   Office of Research, Evaluation, and Statistics\nOSM                    Office of Strategic Management\nPAR                    Performance and Accountability Report\nPEODS                  Post-Entitlement Operational Data Store\nRZ                     Redetermination\nSSIRMS                 Supplemental Security Income Records Maintenance System\nSSA                    Social Security Administration\nSSI                    Supplemental Security Income\nSSR                    Supplemental Security Record\nU.S.C.                 United States Code\nWBDOC                  Wilkes-Barre Data Operations Center\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)\n\x0c                                                                        Appendix B\nScope and Methodology\nWe updated our understanding of the Social Security Administration\xe2\x80\x99s (SSA)\nGovernment Performance and Results Act (GPRA) processes. This was completed\nthrough research and questions to SSA management. We also requested SSA to\nprovide various documents regarding the specific programs being measured as well as\nthe specific measurement used to assess the effectiveness and efficiency of the related\nprogram.\n\nThrough inquiry, observation, and other substantive testing, including testing of source\ndocumentation, we performed the following.\n\n\xe2\x80\xa2   Reviewed prior SSA, Office of the Inspector General and other reports related to\n    SSA\xe2\x80\x99s GPRA performance and related information systems.\n\xe2\x80\xa2   Reviewed applicable laws, regulations and SSA policy.\n\xe2\x80\xa2   Met with the appropriate SSA personnel to confirm our understanding of the\n    performance indicator.\n\xe2\x80\xa2   Flowcharted the process. (See Appendix C.)\n\xe2\x80\xa2   Tested key controls related to manual or basic computerized processes (for\n    example, spreadsheets or databases).\n\xe2\x80\xa2   Conducted and evaluated tests of the automated and manual controls within and\n    surrounding each of the critical applications to determine whether the tested controls\n    were adequate to provide and maintain reliable data to be used when measuring the\n    specific indicator.\n\xe2\x80\xa2   Identified attributes, rules, and assumptions for each defined data element or source\n    document.\n\xe2\x80\xa2   Recalculated the metric or algorithm of the performance indicator to ensure\n    mathematical accuracy.\n\xe2\x80\xa2   Assessed the completeness and accuracy of the data to determine the data\'s\n    reliability as they pertain to the objectives of the audit and intended use of the data.\n\nAs part of this audit, we documented our understanding, as conveyed to us by Agency\npersonnel, of the alignment of the Agency\xe2\x80\x99s mission, goals, objectives, processes, and\nrelated performance indicators. We analyzed how these processes interacted with\nrelated processes within SSA and the existing measurement systems. Our\nunderstanding of the Agency\xe2\x80\x99s mission, goals, objectives, and processes were used to\ndetermine if the performance indicator appeared to be valid and appropriate given our\nunderstanding of SSA\xe2\x80\x99s mission, goals, objectives and processes.\n\nWe followed all performance audit standards in accordance with generally accepted\ngovernment auditing standards.\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                     B-1\n\x0cIn addition to these steps, we specifically performed the following to test the indicator\nincluded in this report.\n\nSpecific to the performance indicator, \xe2\x80\x9cNumber of SSI [Supplemental Security\nIncome] disabled beneficiaries earning at least $100 per month"\n\n   \xe2\x80\xa2   Inspected relevant policies and procedures as necessary.\n   \xe2\x80\xa2   Audited the design and effectiveness of the SSA internal controls and the\n       accuracy and completeness of the data related to the following areas.\n          o Ensured that monthly earnings information provided by the claimant were\n             accurately posted to the Supplemental Security Record (SSR) by\n             reviewing 45 redetermination (RZ) cases in the field offices (FO). RZs are\n             a review of the beneficiaries\xe2\x80\x99 non-medical eligibility factors (that is,\n             income, resources and living arrangements) to ensure that they are still\n             eligible for and are receiving the correct SSI payment. Documents, such\n             as pay stubs, are reviewed and used to determine the beneficiaries\xe2\x80\x99\n             eligibility when applicable.\n          o Ensured that monthly earnings information submitted by employers was\n             complete and accurate by verifying that returned submissions were\n             resubmitted in a timely fashion. Specifically, reviewed reports of\n             unresolved items remaining for the current tax year and compared SSA\n             earnings records to Internal Revenue Services earnings information.\n          o Ensured that data extracts were complete, valid and restricted by review\n             of programming logic and extract code, review of user access, and change\n             control.\n          o Completed application control reviews over the Modernized Supplemental\n             Security Income Claims System (MSSICS), Supplemental Security\n             Income Records Maintenance System (SSIRMS), and Earnings Record\n             Maintenance System (ERMS).\n          o Completed a general computer control review as it relates to MSSICS,\n             SSIRMS and ERMS.\n   \xe2\x80\xa2   Re-performed key processes within test environments to verify controls.\n\nSpecific to the performance indicator, \xe2\x80\x9cNumber of Supplemental Security Income\n(SSI) non-disability redeterminations processed"\n\n   \xe2\x80\xa2   Inspected relevant policies and procedures as necessary.\n   \xe2\x80\xa2   Audited the design and effectiveness of the SSA internal controls and the\n       accuracy and completeness of the data related to the following areas.\n          o Ensured that RZs were completed in accordance to SSA policy by\n             reviewing 45 RZ cases in FOs.\n          o Ensured that data transferred from Post-Entitlement Operational Data\n             Store (PEODS) was complete, accurate, valid, and restricted by\n             re-performing reconciliations of data transfer to an Oracle database.\n          o Completed application control reviews over MSSICS and SSIRMS, and\n             PEODS.\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                        B-2\n\x0c          o Completed a general computer control review as it relates to MSSICS and\n             SSIRMS.\n   \xe2\x80\xa2   Re-performed key processes within test environments to verify controls.\n\nSpecific to the performance indicator, \xe2\x80\x9cNumber of periodic CDRs [Continuing\nDisability Reviews] processed to determine continuing entitlement based on\ndisability"\n\n   \xe2\x80\xa2   Inspected relevant policies and procedures as necessary.\n   \xe2\x80\xa2   Audited the design and effectiveness of the SSA internal controls and the\n       accuracy and completeness of the data related to the following areas.\n            o Ensured that CDRs were complete and accurate by testing 45 full medical\n              CDRs. Checked to verify that recently completed reviews were conducted\n              correctly and whether the decision and completion date of the CDR was\n              accurate on the SSR/ Master Beneficiary Record. In addition, reviewed\n              high profile case files for full medical review.\n            o Observed the CDR mailer process at the Wilkes-Barre Data Operations\n              Center.\n            o Completed application control review over National Disability\n              Determination Services System and Disability Operational Data Store.\n   \xe2\x80\xa2   Determined the adequacy of the programming logic used by SSA to calculate the\n       full medical reviews processed.\n   \xe2\x80\xa2   Re-performed key processes to verify controls.\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)              B-3\n\x0c                                                                                                                         Appendix C\n\nFlowchart of the Number of Supplemental Security Income\n(SSI) Disabled Beneficiaries Earning at Least $100 per\nMonth\n\n\n                   Data input of earnings,\n                      manually or via\n                        Modernized\n                   Supplemental Security\n                      Income Claims\n                     System(MSSICS)\n\n\n                                                            Earnings Record\n                                                               Maintenance\n                                                             System (ERMS)\n               Supplemental Security Income\n                                                             updates Master                      IRS File\n               Records Maintenance System\n                                                           Earnings File (MEF)                  Comparison\n             (SSIRMS) processes earnings to\n                                                              with data from\n              the beneficiaries\xe2\x80\x99 Supplemental\n                                                           employers and the\n                  Security Record (SSR)\n                                                            Internal Revenue\n                                                              Services (IRS)\n\n\n\n\n                                                              MEF interfaces\n                     SSR                                       with SSR and\n                                                               alerts SSA to\n                                                             resolve earnings\n                                                               discrepancies\n\n\n\n\n                SSR extract\n               (Characteristic\n               Extract Record\n                  Format)\n\n\n\n\n             Formatted into Excel\n              Spreadsheet using\n              Statistical Analysis\n               Software (SAS)\n\n\n\n\n              Compiled into SSI              Manual calculation              Results are               OSM publishes\n                  Disabled                   of results in Excel          submitted to Office           results to the\n               Recipients Who                 Spreadsheet for                of Strategic             Performance and\n                Work Report                     Performance                 Management                 Accountability\n                 (Table 7)                        Indicator                     (OSM)                   Report (PAR)\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                                                             C-1\n\x0cFlowchart of Supplemental Security Income (SSI) disabled\nbeneficiaries earning at least $100 per month - Narrative\n    \xe2\x80\xa2   SSI beneficiaries provide Social Security Administration (SSA) field office (FO)\n        staff with earnings information. FO staff inputs the unverified earnings\n        information via direct input or via Modernized Supplemental Security Income\n        Claims Systems (MSSICS).\n    \xe2\x80\xa2   After receipt of the beneficiaries\' earnings evidence (pay stubs for wages or a tax\n        return for self-employment), SSA FO staff inputs verified earnings information\n        into the Supplemental Security Record (SSR) via direct input or via MSSICS.\n    \xe2\x80\xa2   SSI Records Maintenance System (SSIRMS) processes earnings information\n        posted by FO staff to the beneficiaries\xe2\x80\x99 SSR.\n    \xe2\x80\xa2   The Earnings Record Maintenance System (ERMS) updates the Master Earnings\n        File (MEF) with earnings data from employers and the Internal Revenue Service.\n        SSA uses information in the MEF to determine if there are any unreported\n        earnings or earnings discrepancies.\n    \xe2\x80\xa2   The MEF interfaces with the SSR to provide SSI beneficiary earnings information\n        in the form of MEF alerts/diaries every 4 months (October, February and June).\n    \xe2\x80\xa2   SSIRMS processes earnings information to the beneficiaries\xe2\x80\x99 SSR.\n    \xe2\x80\xa2   On a quarterly basis, the Office of Research, Evaluation and Statistics (ORES)\n        receives the data extract from the SSR in a Characteristic Extract Record Format\n        from the Office of Applications and Supplemental Security Income Systems\n        (OASSIS).\n    \xe2\x80\xa2   ORES formats the data extract into an Excel file using Statistical Analysis\n        Software.\n    \xe2\x80\xa2   The quarterly results are compiled in a table (referred to as Table 7) and\n        published annually in the SSI Disabled Recipients Who Work report by ORES.\n    \xe2\x80\xa2   On a quarterly basis, ORES sends the Table 7 to the performance indicator\n        owner in the Office of Disability Income Security Programs, Office of Program\n        Development and Research.\n    \xe2\x80\xa2   Office of Program Development and Research manually calculates the results of\n        the SSI beneficiaries earning at least $100 per month using an excel\n        spreadsheet.\n    \xe2\x80\xa2   Office of Program Development and Research forwards the results to Office of\n        Retirement and Disability Policy.\n    \xe2\x80\xa2   Office of Retirement and Disability Policy (the Office of the Deputy\n        Commissioner) reviews/approves and sends the results of the calculation to\n        OSM. 1\n    \xe2\x80\xa2   OSM publishes the results in the Performance and Accountability Report (PAR).\n\n\n\n\n1\n This function was previously performed by the Office of Disability and Income Security Programs, which\nwas part of a reorganization effective February 2008.\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                                C-2\n\x0cFlowchart of Supplemental Security Income (SSI) Non-\nDisability Redeterminations (RZ) Processed\n\n\n\n                                            Scheduled Redeterminations (RZs)\n\n          Redetermination merge run system selects cases for\n               scheduled redetermination and limited issue\n            processing. Field Offices (FOs) and beginning in                  RZ data is entered\n             October 2006 a Wilkes-Barre Data Operations                        in Modernized\n              Center (WBDOC) handle high error cases. At                        Supplemental\n             WBOC these cases are processed in the same                        Security Income       A\n          manner as the low and middle error cases, but using                  Claims System\n             different forms. FOs typically handle high-error                     (MSSICS)\n          profile and WBDOC exclusion cases through face-to-                        (1 B)\n                    face or telephone interview. (1 A)\n\n\n\n\n                                    B\n    Redetermination\n   merge run system\n    selects cases for                                          Mailers\n         scheduled\n     redetermination\n    and limited issue                              Yes\n   processing. Mailer           Is the form\n   forms are returned           complete?\n      to the WBDOC\n       and manually\n        reviewed for\n      completeness.                           No\n            (2 A)\n                                                            Mailers are        The mailer record\n                                 WBDOC                     scanned and         is sorted into one\n                           employees follow-             reviewed through      of five categories:\n                           up if any additional          an exception logic         automated\n                            key information is              process that        completion, two\n                            needed from the                compares the         WBDOC actions\n                                  mailer.                 answers on the           and two FO\n                                   (2 B)                    mailer to the            actions\n                                                           Supplemental                (2 D)\n                                                          Security Record\n                                                               (SSR)\n                                                                (2 C)\n                                                                               WBDOC and FO          Completion\n                                                                                 follow-up on          data is\n                                                                               additional actions     posted to\n                                                                                                                  A\n                                                                                  needed to              the\n                                                                                 complete RZ          MSSICS\n                                                                                      (2 E)             (2 F)\n\n\n\n\n                                                                                       B\n\n\n\n\n                                            Unscheduled Redeterminations\n\n\n              Events such as the death\n              of an eligible spouse and                                              RZ data is\n                                                    FO use form SSA-8203-\n              the effectuation of certain                                            entered in\n                                                      BK or MSSICS to                                A\n                   appellate decisions                                                MSSICS\n                                                       conduct the RZ.\n               trigger unscheduled RZs                                                 (1 D)\n                          (1 C)\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                                                  C-3\n\x0cFlowchart of SSI Non-Disability RZs Processed, continued\n\n                               SSI Update\n                             System updates\n                            SSR with RZ case\n                                data daily\n                                  (3 A)\n\n\n               A\n                               SSI Update\n                                                                   When a RZ is\n                             System updates\n                                                                  processed, the\n                            Post-Entitlement\n                                                                  case is updated\n                            Operational Data\n                                                                  and considered\n                             Store (PEODS)\n                                                                 \xe2\x80\x9ccomplete\xe2\x80\x9d in the\n                            with RZ case data\n                                                                     PEODS.\n                                  daily\n                                                                       (3 B)\n                                  (3 A)\n\n\n                            The information is\n                            processed daily in\n                             PMDWSTG1, an\n                             Oracle database                   OEEAS checks the\n                              maintained by               transaction count of the data\n                            Office of Earnings,             received from PEODS for\n                            Enumeration, and                     completeness.\n                              Administrative                           (3 D)\n                                  Systems\n                                 (OEEAS).\n                                   (3 C)\n\n\n\n                            The information is\n                             processed every\n                                Friday on\n                            PMDWSTG1 and\n                                pushed to\n                            PMDWQRY1, and\n                             Oracle database\n                                for users.\n                                  (3 D)\n\n\n                         Reports called RZSDO and\n                     LISDO are run by Division of Cost\n                      Allocation (DCA) monthly which\n                       displays the information for the              DCA reviews the\n                      indicator weekly or monthly and               information along\n                          keeps totals of RZ cases                  with the REgional\n                          available, completed, and                Office (RO) and FO\n                                   pending.                        users for accuracy\n                                                                           (3 E)\n                                   (3 E)\n\n\n\n\n                             PM amts shown\n                             on RZSDO are\n                             sent to Office of\n                                 Strategic\n                               Management\n                                (OSM) and\n                              reported in the\n                                   PAR\n                                   (3 F)\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                      C-4\n\x0cFlowchart of Supplemental Security Income (SSI) Non-\nDisability Redeterminations (RZ) Processed \xe2\x80\x93 Narrative\nScheduled RZs\n  \xe2\x80\xa2 Claims representatives at the Field Offices (FO) typically handle high-error profile\n     redeterminations through face-to-face or telephone interviews. However,\n     beginning in October 2006 a number of high error cases are also identified and\n     released for Wilkes-Barre Data Operations Center (WBDOC) processing. These\n     cases are processed in the same manner as the low and middle error cases, but\n     using different forms.\n  \xe2\x80\xa2 The updated information is input via on-line entry to the Modernized\n     Supplemental Security Income Claims System (MSSICS).\n  \xe2\x80\xa2 The Supplemental Security Record (SSR) is updated by overnight batch\n     processing and the information is transferred using the SSI Update System to\n     Post-Entitlement Operational Data Store (PEODS).\n\nMailers\n  \xe2\x80\xa2 WBDOC conducts RZs that have low and middle error profiles using computer\n      generated mail-out forms to be completed and returned by the beneficiaries. In\n      addition, beginning in October 2006 a number of high error cases are also\n      identified and released for WBDOC processing. These cases are processed in\n      the same manner as the low and middle error cases, but use forms Social\n      Security Administration (SSA)-3988/3989-OCR rather than the SSA-8202-OCR.\n  \xe2\x80\xa2 Forms are manually reviewed for completeness.\n  \xe2\x80\xa2 Incomplete forms are followed up by WBDOC employees.\n  \xe2\x80\xa2 Mailers are scanned and reviewed through an exception logic process that\n      compares the answers on the mailer to the SSR.\n  \xe2\x80\xa2 The mailer record is sorted into one of five categories: automated completion,\n      two WBDOC actions and two FO actions.\n  \xe2\x80\xa2 WBDOC and FO follow up on additional actions needed to complete RZ.\n  \xe2\x80\xa2 If a complication develops in the case, the case is transferred to the servicing\n      FO.\n  \xe2\x80\xa2 If \xe2\x80\x9cno change\xe2\x80\x9d is indicated, a completion indicator is posted to the SSR.\n  \xe2\x80\xa2 The SSR is updated by overnight batch processing and the information is\n      transferred using the SSI Update System to PEODS.\n\nUnscheduled RZs\n  \xe2\x80\xa2 Events such as the death of an eligible spouse and the effectuation of certain\n     appellate decisions trigger unscheduled RZs.\n  \xe2\x80\xa2 FO uses form SSA-8203-BK or MSSICS to conduct the RZ similar to a scheduled\n     RZ.\n  \xe2\x80\xa2 The updated information is input via on-line entry to the MSSICS.\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                 C-5\n\x0c   \xe2\x80\xa2   The SSR is updated by overnight batch processing and the information is\n       transferred using the SSI Update System to PEODS.\n\nAfter Batch Update\n   \xe2\x80\xa2 The SSR and PEODS are updated, the cases, identified by Social Security\n       Numbers, are considered "complete" receipts in PEODS.\n   \xe2\x80\xa2 When the processing of a redetermination is done and updated by the FO in\n       MSSICS, a completion count is taken.\n   \xe2\x80\xa2 PEODS redetermination data are updated automatically once a week.\n   \xe2\x80\xa2 The information is processed daily in the Title XVI Datawarehouse and available\n       to users every Monday.\n   \xe2\x80\xa2 Once a month, the Division of Cost Accounting reviews the redetermination data\n       on reports called the RZ SDO and LI SDO Reports and sends the completion\n       data to the Office of Strategic Management, which is reported at year-end in\n       SSA\xe2\x80\x99s Performance and Accountability Report.\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)              C-6\n\x0cFlowchart of the Number of Periodic Continuing Disability\nReviews (CDR) Processed to Determine Continuing\nEntitlement Based on Disability\n\n            Full Medical Review Continuing Disability Reviews (CDRs)\n                                                          Findings are\n                                                          inputted into                                        Medical CDRs are\n                            Cases forwarded\n                                                            National                                           posted on monthly                    Total CDRs less\n                               to Disability                                       Data transferred\n \xe2\x80\x9cDirect Releases\xe2\x80\x9d                                          Disability                                           State Agency                        the number of\n                             Determination                                         from NDDSS to\n   to initiate high                                      Determination                                         Operations Report                  recorded cases that\n                            Services (DDS)                                             Disability\n  profile cases for                                    Services System                                          (SAOR) Year to                       are work issue\n                             from the Field                                        Operational Data\n    Full Medical                                          (NDDSS) to                                           Date (YTD) report                    CDRs equals the\n                             Office (FO) to                                         Store (DIODS)\n   Review CDRs                                          report outcome                                           produced from                      Periodic Medical\n                            perform medical                                              (1 B)\n                                                         \xe2\x80\x9ccontinuance\xe2\x80\x9d,                                             DIODS                           CDRs processed\n                              adjudication\n                                                       and \xe2\x80\x9dcessation\xe2\x80\x9d                                               (1 C)\n                                                              (1 A)\n                                                                                                                                                   The performance\n                                                                                                                                                      measure is\n                                   A               Update of decision and                                                                          reported monthly\n                                                  completion date posted to                                                                           to Office of\n                                                   Supplemental Security                                                                               Strategic\n                                                  Record/Master Beneficiary                                                                          Management\n                                                     Record (SSR/MBR)                                                                                   (OSM)\n\n\n                      CDR Mailers                                                                                                                         B\n\n                                                                                                            Update of mailer\n     Mailer forms are                                                                                           data and\n  returned to the Wilkes-                                                                                     determination\n  Barre Data Operations                                          Yes                                       result to SSR/MBR\n                                             Is the form\n   Center (WBDOC) and\n                                             complete?\n  manually reviewed for\n      completeness.\n           (2 A)\n                                                      No\n                                                                                                      The mailer data is processed\n                                                                                                       through decision logic at the\n                                               WBDOC\n                                                                                                   Central Office and a determination\n                                         employees follow-                                                                                        Alerts are\n                                                                                                     is made as either deferred, full\n                                         up if any additional          Mailer goes through a                                                    generated for\n                                                                                                     medical review, or Processing\n                                          key information is           scanning process at                                                    cases marked for          A\n                                                                                                    Center (PC) review. (PC review\n                                          needed from the                  the WBDOC                                                            a full medical\n                                                                                                     can make the determination to\n                                                mailer.                                                                                             review\n                                                                                                       defer, full medical review, or\n                                                 (2 B)\n                                                                                                          administrative closure.)\n                                                                                                                    (2 C)\n\n\n\n\n       The Performance Measure (PM)\n                                                         Office of Disability                     The OCDRS CDR                      PC makes the\n        data is pulled monthly from the\n                                                   Determinations (ODD), OCDRS                 Tracking file queries the           determination that\n        Office of Continuing Disability\n                                                    CDR Tracking File is updated                Disability Control File              the case is a\n         Reviews Support (OCDRS)\n                                                      with deferral mailer data                 (DCF) for PC Review                   deferral and\n       CDR Tracking Files by the CDR\n                                                                (2 D)                                 deferrals                    updates the DCF\n                   MI System\n\n\n\n\n                                                                                                                                            PM 16\n                                                                                                                                        calculation =\n                      CDR MI System                        The mailer deferral                                                          total medical\n                       Periodic CDR                         number from the                                                                 CDRs\n                      Table is created                     table is reported to         B                     B                         processed +\n                                                              OSM monthly                                                                CDR mailer\n                                                                                                                                            cases\n                                                                                                                                         recorded as\n                                                                                                                                           deferred\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                                                                                                        C-7\n\x0cFlowchart of Number of Periodic Continuing Disability\nReviews (CDR) Processed to Determine Continuing\nEntitlement Based on Disability \xe2\x80\x93 Narrative\nPeriodic CDRs Processed\n\nFull Medical Reviews\n   \xe2\x80\xa2 Field Offices (FO) forward the cases to the State disability determination services\n      (DDS) to perform the medical adjudication.\n   \xe2\x80\xa2 Once a determination is made by the DDS, the findings are input into the\n      National Disability Determination Services System (NDDSS) to report the\n      outcome, either \xe2\x80\x9ccontinuance,\xe2\x80\x9d \xe2\x80\x9ccessation,\xe2\x80\x9d or \xe2\x80\x9cno decision\xe2\x80\x9d in the event of an\n      administrative closure. Updates to decisions and completion dates are posted to\n      the Supplemental Security Record (SSR) or Master Beneficiary Record (MBR).\n   \xe2\x80\xa2 The data is transferred from the NDDSS to the Disability Operational Data Store\n      (DIODS).\n   \xe2\x80\xa2 The medical CDRs are posted monthly on a State Agency Operations Report\n      year-to-date report, which is produced from the DIODS.\n   \xe2\x80\xa2 The information, available weekly but reported monthly to the Commissioner\xe2\x80\x99s\n      Tracking Report, is used to calculate the performance indicator. The total\n      recorded CDRs less the number of recorded cases that are work issue CDRs\n      equals the number of reported medical CDRs processed.\n\nCDR Mailers\n  \xe2\x80\xa2 Once a scannable mailer is received by the Wilkes-Barre Data Operations Center\n     (WBDOC), there is a preliminary screening for completeness.\n  \xe2\x80\xa2 Incomplete forms are followed up by WBDOC employees.\n  \xe2\x80\xa2 The mailer form is both scanned by equipment using optical character\n     recognition and physically input/keyed to create a data file.\n  \xe2\x80\xa2 The data file is transmitted to National Computer Center (NCC) at the Central\n     Office. NCC formats and names the file that is then passed along to the Office of\n     Continuing Disability Reviews Support.\n  \xe2\x80\xa2 The Office of Continuing Disability Reviews Support processes the data through\n     decision-logic. The decision logic considers the beneficiary\xe2\x80\x99s mailer responses\n     together with the profile score signifying high, moderate, or low likelihood of\n     cessation due to medical improvement. The possible outcomes are either\n     deferred, full medical review, administrative closure or Processing Center review.\n     Updates of mailer data and determination results are input to SSR/MBR. Alerts\n     are generated for cases marked for a full medical review.\n  \xe2\x80\xa2 The Office of Disability Determinations makes the appropriate input to update the\n     Disability Control File to reflect the results of decision logic processing.\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                 C-8\n\x0c   \xe2\x80\xa2   The Processing Center can make a determination to defer or full medical review,\n       or administrative closure.\n   \xe2\x80\xa2   The Office of Continuing Disability Reviews Support CDR Tracking file queries\n       the Disability Control File for Processing Center Review deferrals.\n   \xe2\x80\xa2   The Office of Continuing Disability Reviews Support CDR Tracking File is\n       updated with deferral mailer data.\n   \xe2\x80\xa2   The performance indicator data is pulled monthly from the Office of Continuing\n       Disability Reviews Support CDR Tracking Files using a FOCEXEC program.\n   \xe2\x80\xa2   CDR Mailer Deferral Report (table) is created.\n   \xe2\x80\xa2   The sections of the report are totaled on an EXCEL spreadsheet and reported to\n       Office of Strategic Management monthly for the performance measure\n       calculation.\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)               C-9\n\x0c                                                                       Appendix D\nAgency Comments\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      April 30, 2008                                                         Refer To:   S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      David V. Foster /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cPerformance Indicator Audit:\n           Postentitlement Actions\xe2\x80\x9d (A-15-07-17130)\xe2\x80\x94INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our response to the recommendation is\n           attached.\n\n           Please let me know if we can be of further assistance. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.\n\n\n           Attachment\n\n\n\n\n           Performance Indicator Audit: Postentitlement Actions (A-15-07-17130)                        D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL\xe2\x80\x99S DRAFT REPORT,\n\xe2\x80\x9cPERFORMANCE INDICATOR AUDIT: POSTENTITLEMENT ACTIONS\xe2\x80\x9d\n(A-15-07-17130)\n\nThank you for the opportunity to review and provide comments on this draft report.\n\nRecommendation 1\n\nConsistently restrict access to the Customer Information Control System screens and datasets for\nthe Earnings Records Maintenance System, Modernized Supplemental Security Income Claims\nSystem, Supplemental Security Income Records Maintenance System, and National Disability\nDetermination Services System based on the concept of least privilege access.\n\nComment\n\nWe agree. As the report notes, we have implemented corrective actions as these deficiencies\nemerged. We continue to believe the security over our critical high-risk systems is very strong.\n\n\n\n\nPerformance Indicator Audit: Postentitlement Actions (A-15-07-17130)                          D-2\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Chief Counsel to the Inspector General (OCCIG), Office of External Relations (OER), and\nOffice of Technology and Resource Management (OTRM). To ensure compliance with policies and procedures,\ninternal controls, and professional standards, the OIG also has a comprehensive Professional Responsibility and\nQuality Assurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                        Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'